12
Feb 19

Patch Tuesday, February 2019 Edition

Microsoft on Tuesday issued a bevy of patches to correct at least 70 distinct security vulnerabilities in Windows and software designed to interact with various flavors of the operating system. This month’s patch batch tackles some notable threats to enterprises — including multiple flaws that were publicly disclosed prior to Patch Tuesday. It also bundles fixes to quash threats relevant to end users, including critical updates for Adobe Flash Player and Microsoft Office, as well as a zero-day bug in Internet Explorer.

Some 20 of the flaws addressed in February’s update bundle are weaknesses labeled “critical,” meaning Microsoft believes that attackers or malware could exploit them to fully compromise systems through little or no help from users — save from convincing a user to visit a malicious or hacked Web site.

Microsoft patched a bug in Internet Exploder Explorer (CVE-2019-0676) discovered by Google that attackers already are using to target vulnerable systems. This flaw could allow malware or miscreants to check for the presence of specific files on the target’s hard drive.

Another critical vulnerability that impacts both end users and enterprises is a weakness in the Windows component responsible for assigning Internet addresses to host computers (a.k.a. “Windows DHCP client”). That flaw, CVE-2019-0626, could let an attacker execute malcode of his choice just by sending the target a specially crafted DHCP request.

At the top of the list of patch concerns mainly for companies is a publicly disclosed issue with Microsoft Exchange services (CVE-2019-0686) that could allow an attacker on the same network as the target to access the inbox of other users. Microsoft said it has not seen active exploitation of this bug yet, but considers it likely to be exploited soon.

Security experts are fond of saying “patch now!” when it comes to Windows bugs, but in general it can’t hurt for regular users to wait a day or two after Microsoft releases monthly security updates before installing the fixes. That’s because occasionally buggy patches can cause serious headaches for users who install them before all the kinks are worked out.

Just don’t put off the task too long. And bear in mind it’s a good idea to get in the habit of backing up your data before installing Windows updates, to hedge against the odd case in which a wonky patch ends up rendering your system unusable until you can work out how to reverse the changes.

Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

Microsoft also included fixes to address a single vulnerability in Adobe Flash Player. Microsoft and Adobe disagree on the severity of this flaw, according to security firm Qualys. Adobe labels it an “important” bug, while Microsoft tags it with a far more severe “critical” label. Regardless, Flash flaws are favorite targets of attackers. If you browse the Web with IE or Edge, this month’s patch batch from Microsoft has you covered.

Fortunately, the most popular Web browser by a long shot — Google Chrome — auto-updates Flash but also is now making users explicitly enable Flash every time they want to use it (Microsoft also bundles Flash with IE/Edge and updates it whenever Windows systems install monthly updates). By the summer of 2019 Google will make Chrome users go into their settings to enable it every time they want to run it.

Firefox also forces users with the Flash add-on installed to click in order to play Flash content; instructions for disabling or removing Flash from Firefox are here. Adobe will stop supporting Flash at the end of 2020.

Adobe also released updates for Adobe Acrobat and Reader that plug at least 70 security holes in these applications, so if you have either installed please be sure to update those.

As always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.

Tags: , , , , , , ,

37 comments

  1. The Sunshine State

    Their was also a security update today for Firefox 65.0 (64 bit)

  2. Every time I try to check for updates on my and my wife’s Windows 10 laptops I get the following message: “We couldn’t connect to the update service. We’ll try again later, or you can check now. If it still doesn’t work, make sure you’re connected to the Internet.”

    I don’t have any problems connecting to the internet.

    Any help would be greatly appreciated. Thank you.

    • I would just wait a while and try again later. Windows Update is notorious for being non-responsive and slow.

    • Brian Fiori (AKA The Dean)

      If it happens every time, it’s probably not Windows Update not being available. Try running the Windows Update Troubleshooter (located in the Control Panel) in Advanced mode. Unlike past Windows versions, Windows 10 troubleshooters actually work once in a while.

    • Did you set up a DNS filtering service with an alternative provider than your ISP, or a firewall, perhaps to block porn and other obtrusive content from your home?

      If so, check that you aren’t blocking Microsoft domains.

    • I’ve run into this before and found that the windows update service had been disabled somehow. If you enable it and start it up, you should be able to run windows updates after. Be mindful that it may be disabled again after a reboot.

  3. Yesterday’s MS patches caused my machine to refuse to start this morning. After trying to start up in safe mode it went into reversing the updates…

    • mine too. just got the update, it restarted and now it shows just the waiting-circle since minutes… my system usually finishes this smaller updates in under 20 seconds. i will also try to revert tomorrow and somehow block the update for now…

      • I am so glad I read the above two comments. I will wait until next week to turn on my Windows 10 system…

  4. Great article as always. Thanks for your work Brian. There was also Firefox update.

    Mozilla has released security updates to address vulnerabilities in Firefox and Firefox ESR. An attacker could exploit some of these vulnerabilities to take control of an affected system.

  5. When I try to update my Windows 10, I receive the following message: Error Encountered. We couldn’t connect to the update service. We’ll try again later, or you can check now. If it still doesn’t work, make sure you’re connected to the Internet.

    Any help would be greatly appreciated. Thank you.

  6. fraud is not really crime.
    bank Will refund all the loss to customers.
    its just the Way to add more Money in the circlelation.
    banks have in insurance what is the problem?

    • Igor: “But officer, fraud is not really crime. Bank will refund all the loss to customers. Banks have insurance, what is the problem?”

      Officer: “Dang, Igor… I never thought about that. I can’t believe in the many, many decades of fraud being a punishable crime, some commentor on KrebsOnSecurity has finally cracked the code!”

      *All law is re-written months later*
      *Igor receives a Nobel Peace Prize*
      *All world hunger has stopped as a result*
      *Fast forward many years later: the officer is on his death bed and whispers something in Igor’s ear*

      Officer: “Igor… this… all of this… is a direct result… of… of… you. You… cracked the code………. you’ve… solved.. world hunger.

      *Officer breathes his last breath, the monitor flat-lines, one single tear streams down Igor’s face*
      *A multitude of people gather and start chanting Igor’s name*
      *Millions of Bank Managers and criminals who committed fraud are seen holding hands and hugging*
      *Igor slowly walks down the hospital corridor and fades into the shadows*

      • I detect a potential winner in the next Bruce Schneier security theatre movie plot contest!

      • fraud Will Help to print more Money.
        Without fraud this Financial ponzi scheme Will collapse… insurance Companies Don’t have money what they have is just Commercial paper they to pass its to the bank. now bank Give signal to fed to print out money. so for Every reported stolen 5000. there Will be created othrer 5000 $ in circlelation.
        and Collateral for this created money Will be the victim himself.

        other words…. no fraud no Money in circlelation.

    • The problem is that insurance companies exist in order to remove money from circulation

    • Trawler alert. Attempt to move discussion away from the topic. Ignore Igor.

  7. There are various types of fraud. Those fraudulent acts that are listed in the law as being a crime hurt a person/business. Some persons/businesses may not be directly hurt by the fraudulent act, but if an insurance company reimburses a person/business, this increases the insurance company’s operating expense and will ultimately increase the insurance premium that is paid by everyone. For those who have been directly hurt by a fraudulent act, they are without the funds that were stolen/taken from the for a while, and they have to waste time addressing the fraudulent act committed against them. For the law enforcement people (judges, attorneys, juries, witnesses, etc.) they have to also spend additional time addressing the matter, and ultimately this increases their expenses or takes time away from other work.

    There is no such thing as a victimless crime.

    Regards,

    • “There is no such thing as a victimless crime.”

      As long as all of the participants consent, drug use and prostitution are victimless crimes.

    • “There is no such thing as a victimless crime.”

      Sure there is. Speeding over the speed limit by 5 mph. Smoking a little weed in your backyard. Sad to say that there is a lot of money being made in the criminal justice system for things that shouldn’t be crimes but are. And things that should be crimes aren’t because of the flow of ‘donor’ money in other directions…

  8. So far so good. Performed updates on two Windows 10 Enterprise laptops and three Windows Server 2012 Standard servers without any problems. Keeping fingers crossed…

  9. 4 Win 10 pro machines, no issues
    2 2008 Servers no issues but they are old 🙂

  10. I think Igor needs 1, an English grammar book, 2. a book on economics NOT written by Karl Marx and 3. a book on banking and the money supply.

  11. does anyone know if KB4487345 is included in the Quality Roll-up? I can’t seem to find it. It is the issue that caused Win7 the inability to connect to Win2008 SMB shares unless they were in the Admin group. Thanks.

  12. Comparing to linux, is this showing how poor of a motivator money is for producing robust products (oh, wait, didn’t we know that already?)?

  13. That stupid update took a massive 1 hour to complete. After that I discovered that all my display drivers were deleted and replaced with a Microsoft 2006 driver (?!). My screen looked like something out of the 60’s …

    Just for fun, it added a huge 60GB amount of rubbish to my harddrive.

    There were more, minor problems all of which I have now solved (including the two mentioned above), apart from one: my taskbar keeps disappearing. I ran that sfc /scannow thing about 20 times and restarted Exploder so many times I lost count. Nothing works, until I’m fed up and take a break. When I come back the taskbar has appeared again … for about half an hour …

    Honestly, are those Microsoft jokers for real?

  14. How is one of these critical, the one that lets attackers see if you have certain files on your hard drive? How can the mere presence of some file be critical?

  15. Please help me my Galaxy S8 is acting crazy and so is my Acer Chromebook. I don’t know what to do, I called my carrier T mobile and even factory reset my phone. Also I had a pro lem getting into my phone and they r ed’s et it last year around July at. Tmobile location. Sites are phony I try to go on, my bluetooth is going off and on by itself and weird images and files. I gave so many screenshots of devices that i do not know why they are connected to my activity. I tried calling the precinct 4 officer and explain even more but no one jot even my family believe me they seem to think I’m going crazy. But I’m not even able to access my college site …it connects but if i click anything it crashes and logs me out. Please help me
    Thank for your time. God bless.
    832-807-9567
    Lmciarella3@gmail.com
    I’m hoping this is a real site I asked God to help me and I somehow found this site. There’s more to my story and I’m scared, I just want true friends who want to encourage me and help me out my depression PTSD that others seem to know that is my weakness and I don’t know who to trust any more. I bel ki eve I have proof but not sure as I keep.getting almost run off the road everytime try to go anywhere. I hear Gid saying hold on but I’m tired. I’m not crazy, I’m a smart Lady that needs a new beginning with amazing people and God to show me the ones who are do not have my best interest at heart.

    • Sorry for the typos….that seems to be another issue

      Please help me my Galaxy S8 is acting crazy and so is my Acer Chromebook. I don’t know what to do, I called my carrier T mobile and even factory reset my phone. Also I had a PROBLEM getting into my phone and they FACTORY RESET it last year around July @ a Tmobile location. Sites are phony I try to go on, my bluetooth is going off and on by itself and weird images and files. I gave so many screenshots of devices that i do not know why they are connected to my activity. I tried calling the precinct 4 officer twice and explain even more but no one jot even my family believe me they seem to think I’m going crazy. But I’m not even able to access my college site …it connects but if i click anything it crashes and logs me out. Please help me
      Thank for your time. God bless.
      832-807-9567

  16. Call me lazy but why do people feel they need to update with this junk? Updates don’t do anything.